Ransomware attacks have created havoc across a range of industries – including the cyber-insurance sector, where insurance premia are rocketing to cover soaring losses. Looking into the security failures on some of these attacks raises the question of whether insurers were too lax in their underwriting practices: How could firms obtain insurance without fulfilling even the most basic cyber-hygiene standards? In fact, some critics see permissive underwriting and the sector’s ransomware resolution protocol as a root cause of the current cybercrime boom.
For scholars of “insurance as governance,” this lack of security governance is a puzzle. Economists, sociologists, and legal experts have long pointed out that insurers have a strong interest in managing moral hazard among their customers and crooks and criminals who might specifically target the insured to benefit from generous insurance pay-outs. There are many case studies across the insurance industry showing strict security rules as a precondition for obtaining insurance. In addition, insurers can monitor the insured’s behaviour and/or and create stringent loss adjustment processes to ensure compliance during the contract period. Why didn’t this happen in cyber-insurance? Were insurers asleep at the wheel?
In our new paper, we study the history of cyber- and ransomware insurance to answer these questions. We quickly found that we had to shift the focus of our attention away from security governance to other forms of loss management. We can see exactly the kind of clever institution-building “insurance as governance” scholars would expect – but the norms, protocols, and services are focused on containing liabilities arising from cybercrime, not on preventing or managing the crime itself.
This makes sense, as cyber-insurance far predates the current ransomware boom. Cyber-insurance was mostly concerned with managing third party liabilities arising from privacy breaches. In its infancy, cyberextortion was hampered by the complexity of taking payment: having your victims send postal orders, mail gift vouchers, or call premium phone lines always created a risk of interception by law enforcement. Making ransom demands in the region of a few hundred dollars kept cyberextortion under the radar of the police – but also that of insurers.
What was far more problematic was getting the insured back online after a hacker attack and fulfilling all the obligations of a company holding sensitive personal information about their customers, patients, students, or suppliers. Who could get the computer systems up and running again? What data had been compromised? Who needed to be alerted, whose finances needed monitoring? Who provided PR advice to protect the brand after an embarrassing security failure? Insurers found that most of their customers were stumped by the complexity of curating their incident response and – infuriatingly – many inadvertently multiplied the insured damages by botching some aspect of it.
It therefore made sense for insurers to connect their customers to capable experts. Over time a complex and effective institutional crisis resolution architecture came into being that minimised downtime, potential liabilities, public exposure, and the risk of downstream litigation. Given the centrality of data protection rules in generating losses for insurance, the response was coordinated by privacy lawyers and thereby protected from prying eyes under client-attorney privilege. Cyberinsurers thereby created a hugely attractive product for their customers, whose primary concern was to get on with the business of making money before, during, and after malware incidents. As firms learnt what cyber-insurance could do for them, the market became ever larger and more competitive. If insurers worried about their customers’ security stance, there was little they could do about it without losing market share. High quality security and back-ups are expensive but not always effective, thus insurers could not offer sufficient premium rebates to make better security profitable for the customer.
Thus, when cryptocurrencies revolutionised the ransomware business by providing a hard-to-trace payments system, hackers found highly fertile ground for extorting money. Privacy lawyers (correctly) focused on containing the big-ticket items on the resolution bill – a ransom of thousands, tens of thousands, or even hundreds of thousands of dollars barely registered if it meant avoiding multi-million-dollar liabilities and minimising business downtime. As long as hackers could make their encryption too hard to crack for the insurers’ IT experts and deliver reliable decryption keys, they were in business – and victims were quick to pay. The patient bartering and coordination with law enforcement that are the hallmarks of kidnap for ransom insurance did not find a space in the fast-moving ransomware ecosystem. Equally worrying, the liability management protocol prevents information-sharing and intelligence gathering by the authorities.
What is individually rational became a broader social problem, however. Without meaningful resistance on ransom payments, attacks escalated, and ransom demands went up and up. When insurers raised their premia and introduced lower limits in response, companies finally beefed up their security and back-up solutions. But hackers innovated in turn. They weaponize the very privacy legislation that is at the heart of incident response: by exfiltrating data and threatening to release them if payment is refused.
Our paper thus finds that “insurance as governance” has in fact worked – but not quite in the way scholars expected. Cyber-insurance supports enterprises in their business without making crippling security a condition for coverage: Both underwriters and business managers see security as a means, not as an end. Instead of focusing on reducing the number of incidents, insurers created a complex ecosystem of norms, protocols, and services to contain the cost of successful cyber-attacks. This system worked well for the purpose it was designed for – but was blindsided by the rapid advances in the ransomware business model.
We confidently expect many further rounds of innovation in both cyber-insurance and cybercrime. We suspect that governments will increasingly be called upon to regulate on cybersecurity standards, collect and share information and become more involved in law enforcement. And to the extent that this is unsuccessful, governments may have to insure some of the tail risks of cybercrime, just as they do for terrorism.
But to recruit cyber-insurance into meaningful crime governance, governments will have to reform the punitive nature of privacy regulation. If victims and their insurers focus primarily on avoiding fines and litigation and on keeping their tracks carefully covered, they will not create the kind of institutions that make it difficult for criminals to make profits. Mandatory reporting of ransoms and legal safe havens for firms that refuse to pay would be a positive step. Privacy laws were created to make companies more careful with their customers’ data. But in the current cybercrime tsunami, the rules once designed to punish the reckless now mostly threaten the unlucky – and incentivise them to cooperate with their extortionists.
Tom Baker is the William Maul Measey Professor of Law at the Carey Law School of the University of Pennsylvania.
Anja Shortland is a Professor of Political Economy at King’s College London.
This post is adapted from their paper, “Insurance and Enterprise: Cyber Insurance for Ransomware,” available at on Springer.